Email Verification Links Can Lead To Account Takeovers
A legitimate verification link can hijack your session. An attacker sends you a link from a trusted domain. You click it. You get logged out of your account and logged into the attacker's account. You might not even notice.
Here is how the attack works:
- Register Account A and verify it. Stay logged in.
- Register Account B in a private window. Do not verify it yet.
- Copy the verification link for Account B.
- Open that link in the browser where Account A is active.
- Result: Account B verifies. Account A logs out. The browser session switches to Account B.
An attacker uses a similar email address to trick you. They disguise the link as a support request. This allows them to steal subscriptions, access your files, or gain your permissions.
The attack is even worse if the link uses a GET request. An attacker can hide the link in an image tag on a website. The attack happens silently without you clicking anything.
Risks of this flaw:
- Forced session hijacking
- Silent account switching via CSRF
- Subscription theft
- Data theft
How to fix it:
- Use single-use tokens. Invalidate the token immediately after one use.
- Use short token expiry. Links should expire in 15 to 60 minutes.
- Implement session-aware verification. The backend must check if the active session belongs to the account being verified. If they do not match, reject the request.
- Do not touch existing sessions. Verifying one account should never affect another session.
- Bind tokens to the specific email address. The token must only work for the intended user.
Authentication flows are often overlooked. A verification link feels safe because it comes from a trusted domain. This trust makes it dangerous if you handle sessions poorly.
Always ask: what happens if the wrong person clicks this link?
Source: https://dev.to/bijan53c/email-verification-link-leading-to-forced-account-takeover-3dgp
